[....] Starting enhanced syslogd: rsyslogd[ 12.719309] audit: type=1400 audit(1516278308.903:5): avc: denied { syslog } for pid=3506 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.248104] audit: type=1400 audit(1516278315.431:6): avc: denied { map } for pid=3646 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.15.193' (ECDSA) to the list of known hosts. executing program [ 28.854415] audit: type=1400 audit(1516278325.038:7): avc: denied { map } for pid=3661 comm="syzkaller305190" path="/root/syzkaller305190205" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 28.884792] ================================================================== [ 28.892195] BUG: KASAN: use-after-free in ip6_xmit+0x1ce9/0x2090 [ 28.898311] Read of size 8 at addr ffff8801c1597018 by task syzkaller305190/3661 [ 28.905810] [ 28.907411] CPU: 0 PID: 3661 Comm: syzkaller305190 Not tainted 4.15.0-rc8-next-20180118+ #100 [ 28.916044] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.925370] Call Trace: [ 28.927935] dump_stack+0x194/0x257 [ 28.931535] ? arch_local_irq_restore+0x53/0x53 [ 28.936177] ? show_regs_print_info+0x18/0x18 [ 28.940652] ? ip6_xmit+0x1ce9/0x2090 [ 28.944428] print_address_description+0x73/0x250 [ 28.949245] ? ip6_xmit+0x1ce9/0x2090 [ 28.953016] kasan_report+0x23b/0x360 [ 28.956793] __asan_report_load8_noabort+0x14/0x20 [ 28.961693] ip6_xmit+0x1ce9/0x2090 [ 28.965303] ? ip6_finish_output2+0x23a0/0x23a0 [ 28.969947] ? fl6_update_dst+0x127/0x2b0 [ 28.974070] ? check_noncircular+0x20/0x20 [ 28.978278] ? inet6_csk_route_socket+0x691/0xe80 [ 28.983100] ? lock_acquire+0x1d5/0x580 [ 28.987046] ? lock_acquire+0x1d5/0x580 [ 28.990997] ? inet6_csk_xmit+0x114/0x580 [ 28.995126] ? lock_release+0xa40/0xa40 [ 28.999089] inet6_csk_xmit+0x2fc/0x580 [ 29.003035] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.007763] ? __sk_dst_check+0x1a5/0x380 [ 29.011885] ? sk_wait_data+0x610/0x610 [ 29.015847] l2tp_xmit_skb+0x105f/0x1410 [ 29.019890] ? l2tp_session_create+0xbf0/0xbf0 [ 29.024443] ? sock_wmalloc+0x15d/0x1d0 [ 29.028391] ? iov_iter_advance+0x13f0/0x13f0 [ 29.032857] ? lock_release+0xa40/0xa40 [ 29.036809] ? pppol2tp_sendmsg+0x41b/0x670 [ 29.041106] pppol2tp_sendmsg+0x470/0x670 [ 29.045226] ? selinux_socket_sendmsg+0x36/0x40 [ 29.049880] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 29.054696] sock_sendmsg+0xca/0x110 [ 29.058383] ___sys_sendmsg+0x320/0x8b0 [ 29.062332] ? copy_msghdr_from_user+0x590/0x590 [ 29.067073] ? __pmd_alloc+0x4e0/0x4e0 [ 29.070949] ? __fget_light+0x297/0x380 [ 29.074897] ? fget_raw+0x20/0x20 [ 29.078320] ? find_held_lock+0x35/0x1d0 [ 29.082361] ? __do_page_fault+0x5f7/0xc90 [ 29.086572] ? lock_downgrade+0x980/0x980 [ 29.090707] __sys_sendmmsg+0x1ee/0x620 [ 29.094655] ? __sys_sendmmsg+0x1ee/0x620 [ 29.098781] ? SyS_sendmsg+0x50/0x50 [ 29.102473] ? mm_fault_error+0x2c0/0x2c0 [ 29.106602] ? SYSC_bind+0x410/0x410 [ 29.110298] ? __do_page_fault+0xc90/0xc90 [ 29.114515] ? sock_map_fd+0x53/0x90 [ 29.118202] ? SyS_socket+0x12d/0x1d0 [ 29.121978] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.126970] SyS_sendmmsg+0x35/0x60 [ 29.130585] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 29.135311] RIP: 0033:0x440339 [ 29.138472] RSP: 002b:00007fff22989688 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 29.146150] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440339 [ 29.153392] RDX: 0000000000000002 RSI: 0000000020091f88 RDI: 0000000000000004 [ 29.160633] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 29.167876] R10: 0000000004004080 R11: 0000000000000217 R12: 0000000000401c60 [ 29.175118] R13: 0000000000401cf0 R14: 0000000000000000 R15: 0000000000000000 [ 29.182378] [ 29.183980] Allocated by task 3424: [ 29.187582] save_stack+0x43/0xd0 [ 29.191004] kasan_kmalloc+0xad/0xe0 [ 29.194687] kasan_slab_alloc+0x12/0x20 [ 29.198631] kmem_cache_alloc+0x12e/0x760 [ 29.202750] __anon_vma_prepare+0xbc/0x6b0 [ 29.206955] __handle_mm_fault+0x3099/0x3ce0 [ 29.211333] handle_mm_fault+0x38f/0x930 [ 29.215366] __do_page_fault+0x5c9/0xc90 [ 29.219399] do_page_fault+0xee/0x720 [ 29.223168] page_fault+0x4c/0x60 [ 29.226588] [ 29.228189] Freed by task 3424: [ 29.231439] save_stack+0x43/0xd0 [ 29.234864] __kasan_slab_free+0x11a/0x170 [ 29.239071] kasan_slab_free+0xe/0x10 [ 29.242840] kmem_cache_free+0x86/0x2b0 [ 29.246785] unlink_anon_vmas+0x20d/0x9f0 [ 29.250905] free_pgtables+0x21e/0x330 [ 29.254764] exit_mmap+0x291/0x500 [ 29.258278] mmput+0x223/0x6c0 [ 29.261442] do_exit+0x90a/0x1ad0 [ 29.264864] do_group_exit+0x149/0x400 [ 29.268721] SyS_exit_group+0x1d/0x20 [ 29.272496] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 29.277218] [ 29.278819] The buggy address belongs to the object at ffff8801c1597000 [ 29.278819] which belongs to the cache anon_vma_chain of size 64 [ 29.291618] The buggy address is located 24 bytes inside of [ 29.291618] 64-byte region [ffff8801c1597000, ffff8801c1597040) [ 29.303287] The buggy address belongs to the page: [ 29.308185] page:ffffea00070565c0 count:1 mapcount:0 mapping:ffff8801c1597000 index:0x0 [ 29.316297] flags: 0x2fffc0000000100(slab) [ 29.320501] raw: 02fffc0000000100 ffff8801c1597000 0000000000000000 000000010000002a [ 29.328351] raw: ffffea000708fde0 ffffea000729ae60 ffff8801dad30500 0000000000000000 [ 29.336199] page dumped because: kasan: bad access detected [ 29.341875] [ 29.343475] Memory state around the buggy address: [ 29.348374] ffff8801c1596f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.355704] ffff8801c1596f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 29.363032] >ffff8801c1597000: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 29.370359] ^ [ 29.374478] ffff8801c1597080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 29.381809] ffff8801c1597100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 29.389144] ================================================================== [ 29.396474] Disabling lock debugging due to kernel taint [ 29.401934] Kernel panic - not syncing: panic_on_warn set ... [ 29.401934] [ 29.409270] CPU: 0 PID: 3661 Comm: syzkaller305190 Tainted: G B 4.15.0-rc8-next-20180118+ #100 [ 29.419202] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.428524] Call Trace: [ 29.431091] dump_stack+0x194/0x257 [ 29.434693] ? arch_local_irq_restore+0x53/0x53 [ 29.439332] ? kasan_end_report+0x32/0x50 [ 29.443452] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.448176] ? vsnprintf+0x1ed/0x1900 [ 29.451950] ? ip6_xmit+0x1c40/0x2090 [ 29.455719] panic+0x1e4/0x41c [ 29.458881] ? refcount_error_report+0x214/0x214 [ 29.463607] ? add_taint+0x1c/0x50 [ 29.467115] ? add_taint+0x1c/0x50 [ 29.470625] ? ip6_xmit+0x1ce9/0x2090 [ 29.474393] kasan_end_report+0x50/0x50 [ 29.478336] kasan_report+0x148/0x360 [ 29.482110] __asan_report_load8_noabort+0x14/0x20 [ 29.487011] ip6_xmit+0x1ce9/0x2090 [ 29.490614] ? ip6_finish_output2+0x23a0/0x23a0 [ 29.495252] ? fl6_update_dst+0x127/0x2b0 [ 29.499375] ? check_noncircular+0x20/0x20 [ 29.503588] ? inet6_csk_route_socket+0x691/0xe80 [ 29.508404] ? lock_acquire+0x1d5/0x580 [ 29.512345] ? lock_acquire+0x1d5/0x580 [ 29.516287] ? inet6_csk_xmit+0x114/0x580 [ 29.520406] ? lock_release+0xa40/0xa40 [ 29.524356] inet6_csk_xmit+0x2fc/0x580 [ 29.528301] ? inet6_csk_update_pmtu+0x160/0x160 [ 29.533025] ? __sk_dst_check+0x1a5/0x380 [ 29.537140] ? sk_wait_data+0x610/0x610 [ 29.541091] l2tp_xmit_skb+0x105f/0x1410 [ 29.545128] ? l2tp_session_create+0xbf0/0xbf0 [ 29.549678] ? sock_wmalloc+0x15d/0x1d0 [ 29.553767] ? iov_iter_advance+0x13f0/0x13f0 [ 29.558246] ? lock_release+0xa40/0xa40 [ 29.562206] ? pppol2tp_sendmsg+0x41b/0x670 [ 29.566505] pppol2tp_sendmsg+0x470/0x670 [ 29.570624] ? selinux_socket_sendmsg+0x36/0x40 [ 29.575265] ? pppol2tp_session_ioctl+0xa90/0xa90 [ 29.580076] sock_sendmsg+0xca/0x110 [ 29.583762] ___sys_sendmsg+0x320/0x8b0 [ 29.587712] ? copy_msghdr_from_user+0x590/0x590 [ 29.592442] ? __pmd_alloc+0x4e0/0x4e0 [ 29.596309] ? __fget_light+0x297/0x380 [ 29.600252] ? fget_raw+0x20/0x20 [ 29.603674] ? find_held_lock+0x35/0x1d0 [ 29.607709] ? __do_page_fault+0x5f7/0xc90 [ 29.611912] ? lock_downgrade+0x980/0x980 [ 29.616036] __sys_sendmmsg+0x1ee/0x620 [ 29.619978] ? __sys_sendmmsg+0x1ee/0x620 [ 29.624105] ? SyS_sendmsg+0x50/0x50 [ 29.627790] ? mm_fault_error+0x2c0/0x2c0 [ 29.631908] ? SYSC_bind+0x410/0x410 [ 29.635597] ? __do_page_fault+0xc90/0xc90 [ 29.639813] ? sock_map_fd+0x53/0x90 [ 29.643495] ? SyS_socket+0x12d/0x1d0 [ 29.647264] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.652250] SyS_sendmmsg+0x35/0x60 [ 29.655851] entry_SYSCALL_64_fastpath+0x29/0xa0 [ 29.660578] RIP: 0033:0x440339 [ 29.663737] RSP: 002b:00007fff22989688 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 [ 29.671413] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440339 [ 29.678653] RDX: 0000000000000002 RSI: 0000000020091f88 RDI: 0000000000000004 [ 29.685899] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 29.693142] R10: 0000000004004080 R11: 0000000000000217 R12: 0000000000401c60 [ 29.700387] R13: 0000000000401cf0 R14: 0000000000000000 R15: 0000000000000000 [ 29.707986] Dumping ftrace buffer: [ 29.711495] (ftrace buffer empty) [ 29.715177] Kernel Offset: disabled [ 29.718772] Rebooting in 86400 seconds..